In Red Hat Linux, there are three different types of user accounts.
Root, Normal user, System account (pseudo-user)
Root user
- The root user is the equivalent of the Administrator or Enterprise Admin account in the windows world.
- It is most powerful account on the system and has access to everything.
Normal user
- Normal user accounts have no write access to anything on the system except their home directory.
- They can read and explorer much of the system, however
System account (pseudo-user)
- The system user account is similar to a normal user account.
- The main different is that system user normally don’t have a home directory and can’t log in the way normal user do.
- Many system users are created or associated or service to help run them more securely. Think of the situation this way: If a system user is created for the Apache service (the web server), and the account becomes compromised, the attacker will have access only to the web server and its config files. This could be worse if the Apache service were running as the root user; in that case, the attacker would have full access to the system. These are just some additional reasons why you should never truly need the root account unless there is a problem with the system.
Command
|
Description
|
1. Useradd |
Creates user or system accounts |
2. Groupadd |
Creates a group |
3. Passwd |
Set a password or resets a password for a user account |
4. Gpasswd |
Set encrypt group password |
5. Usermod |
Modifies user accounts |
6. Groupmod |
Modifies the properties of a group |
7. Userdel |
Remove a user or system account |
8. Groupdel |
Delete a group |
9. Id |
Shows UID/GID for the group of a given user |
10. Chsh |
To change the user login SHELL |
11. Chage |
Enables you to modify the parameters surrounding passwords (complexity, age, expiration) |
12. Pwck |
Verifies the consistency of passwords across database file |
13. Users |
Currently logged in user displayed |
14. Groups |
Print the groups a user is in |
15. Newusers |
create bulk user using file method |
16. system-config-users |
Graphically add the user and group |
17. userinfo |
Graphically to change the user information |
18. su |
Switching user |
19. sudo |
Sudo user |
20. finger |
The finger displays information about the system users. |
21. groupmems |
The groupmems command allows a user to administer his/her own group membership list without the requirement of superuser privileges |
|
|
User, Group and password configuration files
Directory and Files
|
Description
|
/etc/passwd |
The password for a user |
/etc/group |
The group to which the user belongs |
/etc/shadow |
Encrypted password file |
/etc/gshadow |
Encrypted password file for groups |
/etc/shells |
The login shells, such as BASH or TCSH |
/etc/skel |
The default initialization files for the login shell, such as .bash_profile, .bashrc, and .bash_logout; includes many user setup directories and files such as .kde for KDE and Desktop for GNOME |
/etc/login.defs |
Default login definitions for users |
/etc/defaults/useradd |
Default user account creation |
/etc/securetty |
To specify the which tty device allowed root login account access |
/home |
The user’s own home directory |
The password file
Syntax of /etc/passwd: account:password:UID:GID:GECOS:directory:shell |
- It contains basic information every user.
- Other user in this file may relate to services such as mail, ftp, and sshd.
- There are 7 columns of information in this file.
1. Username Login name of the user
2. Password Encrypted password for the user’s account
3. User ID Unique number assigned by the system
4. Group ID Number used to identify the group to which the user belongs
5. Comment Any user information, such as the user’s full name
6. Home The user’s home directory
7. LoginShell Shell to run when the user logs in; this is the default shell, usually /bin/bash
[root@server1 ~]# grep -i “ayyappan” /etc/passwd
ayyappan:x:500:500:K.P.AYYAPPAN:/home/ayyappan:/bin/bash
the password filed is actually just placeholder (with an x). The reason is that the passwords are actually in different file /etc/shadow.
TipsYou can find out which users are currently logged in with the commandw – detailed informationwho – detailed data
whoami
who am i |
[root@server1 ~]# w
09:19:09 up 1:41, 2 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 :0 07:42 1:41m 6.05s 6.05s /usr/bin/Xorg :
root pts/0 :0.0 08:28 0.00s 0.02s 0.00s w
[root@server1 ~]# who
root tty1 2012-07-24 07:42 (:0)
root pts/0 2012-07-24 08:28 (:0.0)
[root@server1 ~]# whoami
Root
[root@server1 ~]# who am i
root pts/0 2012-07-24 08:28 (:0.0)
The group file
Syntax of /etc/group
group_name:passwd:GID:user_list
|
- Every Linux user is assigned to a group.
- There are 4 columns of information in the file.
1. Group name
2. Password
3. Group ID
4. Group members
[root@server1 ~]# grep -i “skylark” /etc/group
skylark:x:501:babu
The shadow and gshadow file
Syntax of /etc/shadow
ayyappan:Ep6mckrOLChF.:10063:0:99999:7:::
|
/etc/shadow and /etc/gshadow
- The passwords are kept in a separate file called /etc/shadow.
- Access is restricted to the root user.
- A Corresponding password file, called /etc/gshadow, is also maintained for groups that require passwords.
- /etc/shadow 8columns information
- /etc/gshadow 4columns information
1. Username
2. Password
3. Password history
4. Min days
5. Max days
6. Warn days
7. Inactive
8. disabled
[root@server1 ~]# grep -i “ayyappan” /etc/shadow
ayyappan:$6$UroKWL5t$NxKyZk8e70M3f81rkNTunNNE2pMvRQhX1KoqN8/7Ov7416NX/p0lYpyKFW1LeKF4/FD9mFFvUQSrIj2jkjzMb1:15545:0:99999:7:::
1. Group name
2. Password
3. Groupd ID
4. Group members
[root@server1 ~]# grep -i “skylark” /etc/gshadow
skylark:$6$m12bWKNx4p/wJJZ$0tQWZ2sKorkiaEDV3B/yhXnUi/8uXinUVKOF7GmoWZDhx4SmemuiiGpbEGB93RBYI0106NNVyBIzAR4K77Ry20::arun
TipsVipw, vigr à edit the password, group, shadow and gshadows fileOptions-g – edit group databse
-p – edit password database
-q – quit
-s – edit shadow and gshadow database |
User Account Initialization
When a user is created, everything from the /etc/skel directory is copied to the user’s newly created home directory (usually /home/). You can modify these “skeleton” files or can add own custom files. The benefit here is that user creation becomes standardized, ensuring that polices are adhered to. The customizable files are broken down into two different sections:
User-specific files and system-wide settings
User-Specific files
After a user is created and his home directory is populated, that user can now customize those files to fit his own personal needs. For example, the user might like to have certain PATH values or specific environment variables set. The following three files allow a user to customize the login experience to his own style.
~/.bashrc – Defines functions and aliased
~/.bash_profile – Sets environment variables
~/.bash_logout – Defines any commands that should be executed before the log out
[root@server1 ~]# useradd -c “K.P. AYYAPPAN ” ayyappan
[root@server1 ~]# passwd ayyappan
[root@server1 ~]# ls -a /home/ayyappan/
. .. .bash_logout .bash_profile .bashrc .gnome2 .mozilla
[root@server1 ~]# ls -a /etc/skel/
. .. .bash_logout .bash_profile .bashrc .gnome2 .mozilla
Editing these files allows each user to be unique I the way he operations. Because each file is stored in the user’s home directory, that file is limited to use by that single user. What happens, though, if there is standard that you’d like set when users start out? Glad you asked.
Global user configuration
Just as in the /etc/skel directory, you can edit the following three additional files to provide a more standardized format for your users:
/etc/bashrc – Defines functions and aliases
/etc/profile – Sets environment variables
/etc/profile.d – Specifies a directory that contains scripts that are called by the /etc/profile file.
These files help you make sure that your users receive everything they need and when they get started. If you require that settings be changed for your users, customizing these files is the way to go. Just make sure that when you’re editing files for distribution, you make sure you’re editing system-wide config files and not the config files within a user’s home directory.
Tips
[root@server1 ~]# ls -a /home/ayyappan/
. .. .bash_history .bash_logout .bash_profile .bashrc .gnome2 .mozilla
.bashrc – This file is used to controls user variable and other profile during his login session. If you want to execute any command automatically user logon set that command in this file. For example if user “ayyappan” wants to clear screen immediately after her login. He needs to add command at end of this file.
vim .bashrc
# add your command only in the end of file
clear
Create a user and set exit command in his .bashrc files. Now ask your friends login with this user. Exit commands will logout the user as soon as user will login and user never will be able to login.
.bash_profile – This script file instructs user session to check .bashrc file for user aliases and functions. Further its set user command path. Add your own home directory in command path. Edit this file. For example user “ayyappan” wants here home directory should be check while executing commands he can add this line in here .bash_profile files.
vim .bash_profile
PATH=$PATH:$HOME/BIN:/home/ayyappan
.bash_logout – This file is used to clear the terminal after the exit of current user.
vim /home/ayyappan/.bash_logout
# ~/.bash_logout
clear
Tips
To stop the overwriting of the file
[root@server1 Desktop]# set -o noclobber
[root@server1 Desktop]# echo “ayyappan” > test
bash: test: cannot overwrite existing file
[root@server1 Desktop]# set +o noclobber
[root@server1 Desktop]# echo “ayyappan” > test
[root@server1 Desktop]# cat test
Ayyappan
To stop logout form ctrl+D in terminal
[root@server1 Desktop]# set -o ignoreeof
Press ctrl+D
[root@server1 Desktop]# Use “exit” to leave the shell.
[root@server1 Desktop]# set +o ignoreeof
Now press ctrl+D
The default login file /etc/login.defs
- This file controls specific relating to system-wide user logins and passwords.
[root@server1 ~]# grep -v ^# /etc/login.defs
MAIL_DIR /var/spool/mail
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7
UID_MIN 500
UID_MAX 60000
GID_MIN 500
GID_MAX 60000
CREATE_HOME yes
UMASK 077
USERGROUPS_ENAB yes
ENCRYPT_METHOD SHA512
MD5_CRYPT_ENAB no
These values should all be self-explanatory. You can edit them if you don’t like the give defaults, but make sure you remember that these are local to this system and don’t apply on other systems on your network unless you change them there as well. Initialization files can save you a great deal of time so that you don’t have to create custom profile and scripts for individual users every time they are created. This process does take some planning ahead, however, and making sure that your file and custom scripts are distributed to all users (even if they have already been created).
Switching Accounts
- “su” enables you to run a command as another user or switch user accounts
Examples
su username
su – username
- The “su” commands move you into the root user account without initializing any of root’s path or shell variables.
- The “su – “ commands everything is initialized as if you were logging in from the console.
- “sudo” enables you to run a command as the root user
The default user add file /etc/defaults/useradd
[root@server1 ~]# cat /etc/default/useradd
# useradd defaults file
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes
To specify the which tty device allowed root login account access
[root@server1 Desktop]# cat /etc/securetty
console
vc/1
vc/2
vc/3
vc/4
vc/5
vc/6
vc/7
vc/8
vc/9
vc/10
vc/11
tty1
tty2
tty3
tty4
tty5
tty6
tty7
tty8
tty9
tty10
tty11
User and Group Management Command man and help file
[root@server1 Desktop]# useradd –usage
useradd: unrecognized option ‘–usage’
Usage: useradd [options] LOGIN
Options:
-b, –base-dir BASE_DIR base directory for the home directory of the new account
-c, –comment COMMENT GECOS field of the new account
-d, –home-dir HOME_DIR home directory of the new account
-D, –defaults print or change default useradd configuration
-e, –expiredate EXPIRE_DATE expiration date of the new account
-f, –inactive INACTIVE password inactivity period of the new account
-g, –gid GROUP name or ID of the primary group of the new
account
-G, –groups GROUPS list of supplementary groups of the new
account
-h, –help display this help message and exit
-k, –skel SKEL_DIR use this alternative skeleton directory
-K, –key KEY=VALUE override /etc/login.defs defaults
-l, –no-log-init do not add the user to the lastlog and
faillog databases
-m, –create-home create the user’s home directory
-M, –no-create-home do not create the user’s home directory
-N, –no-user-group do not create a group with the same name as
the user
-o, –non-unique allow to create users with duplicate
(non-unique) UID
-p, –password PASSWORD encrypted password of the new account
-r, –system create a system account
-s, –shell SHELL login shell of the new account
-u, –uid UID user ID of the new account
-U, –user-group create a group with the same name as the user
-Z, –selinux-user SEUSER use a specific SEUSER for the SELinux user mapping
[root@server1 Desktop]# groupadd –usage
groupadd: unrecognized option ‘–usage’
Usage: groupadd [options] GROUP
Options:
-f, –force exit successfully if the group already exists,
and cancel -g if the GID is already used
-g, –gid GID use GID for the new group
-h, –help display this help message and exit
-K, –key KEY=VALUE override /etc/login.defs defaults
-o, –non-unique allow to create groups with duplicate
(non-unique) GID
-p, –password PASSWORD use this encrypted password for the new group
-r, –system create a system account
[root@server1 Desktop]# userdel –usage
userdel: unrecognized option ‘–usage’
Usage: userdel [options] LOGIN
Options:
-f, –force force removal of files,
even if not owned by user
-h, –help display this help message and exit
-r, –remove remove home directory and mail spool
-Z, –selinux-user remove SELinux user from SELinux user mapping
Groupdel groupname
[root@server1 Desktop]# passwd –help
Usage: passwd [OPTION…]
-k, –keep-tokens keep non-expired authentication tokens
-d, –delete delete the password for the named account (root only)
-l, –lock lock the named account (root only)
-u, –unlock unlock the named account (root only)
-f, –force force operation
-x, –maximum=DAYS maximum password lifetime (root only)
-n, –minimum=DAYS minimum password lifetime (root only)
-w, –warning=DAYS number of days warning users receives before password
expiration (root only)
-i, –inactive=DAYS number of days after password expiration when an account
becomes disabled (root only)
-S, –status report password status on the named account (root only)
–stdin read new tokens from stdin (root only)
Help options:
-?, –help Show this help message
–usage Display brief usage message
[root@server1 Desktop]# gpasswd –help
gpasswd: unrecognized option ‘–help’
Usage: gpasswd [option] GROUP
Options:
-a, –add USER add USER to GROUP
-d, –delete USER remove USER from GROUP
-r, –remove-password remove the GROUP’s password
-R, –restrict restrict access to GROUP to its members
-M, –members USER,… set the list of members of GROUP
-A, –administrators ADMIN,…
set the list of administrators for GROUP
Except for the -A and -M options, the options cannot be combined.
[root@server1 Desktop]# usermod –usage
Usage: usermod [options] LOGIN
Options:
-c, –comment COMMENT new value of the GECOS field
-d, –home HOME_DIR new home directory for the user account
-e, –expiredate EXPIRE_DATE set account expiration date to EXPIRE_DATE
-f, –inactive INACTIVE set password inactive after expiration
to INACTIVE
-g, –gid GROUP force use GROUP as new primary group
-G, –groups GROUPS new list of supplementary GROUPS
-a, –append append the user to the supplemental GROUPS
mentioned by the -G option without removing
him/her from other groups
-h, –help display this help message and exit
-l, –login NEW_LOGIN new value of the login name
-L, –lock lock the user account
-m, –move-home move contents of the home directory to the
new location (use only with -d)
-o, –non-unique allow using duplicate (non-unique) UID
-p, –password PASSWORD use encrypted password for the new password
-s, –shell SHELL new login shell for the user account
-u, –uid UID new UID for the user account
-U, –unlock unlock the user account
-Z, –selinux-user new SELinux user mapping for the user account
[root@server1 Desktop]# groupmod –usage
groupmod: unrecognized option ‘–usage’
Usage: groupmod [options] GROUP
Options:
-g, –gid GID change the group ID to GID
-h, –help display this help message and exit
-n, –new-name NEW_GROUP change the name to NEW_GROUP
-o, –non-unique allow to use a duplicate (non-unique) GID
-p, –password PASSWORD change the password to this (encrypted)
PASSWORD
[root@server1 Desktop]# id –help
Usage: id [OPTION]… [USERNAME]
Print user and group information for the specified USERNAME,
or (when USERNAME omitted) for the current user.
-a ignore, for compatibility with other versions
-Z, –context print only the security context of the current user
-g, –group print only the effective group ID
-G, –groups print all group IDs
-n, –name print a name instead of a number, for -ugG
-r, –real print the real ID instead of the effective ID, with -ugG
-u, –user print only the effective user ID
–help display this help and exit
–version output version information and exit
[root@server1 Desktop]# chsh –usage
chsh: unrecognized option ‘–usage’
Usage: chsh [ -s shell ] [ –list-shells ] [ –help ] [ –version ]
[ username ]
[root@server1 Desktop]# chage –usage
chage: unrecognized option ‘–usage’
Usage: chage [options] [LOGIN]
Options:
-d, –lastday LAST_DAY set date of last password change to LAST_DAY
-E, –expiredate EXPIRE_DATE set account expiration date to EXPIRE_DATE
-h, –help display this help message and exit
-I, –inactive INACTIVE set password inactive after expiration
to INACTIVE
-l, –list show account aging information
-m, –mindays MIN_DAYS set minimum number of days before password
change to MIN_DAYS
-M, –maxdays MAX_DAYS set maximim number of days before password
change to MAX_DAYS
-W, –warndays WARN_DAYS set expiration warning days to WARN_DAYS
User and Groups Management Examples
1. Create two user account and set password
[root@server1 ~]# useradd -c “R.B. Ayyappan Babu” ayyappan
[root@server1 ~]# passwd ayyappan
Changing password for user ayyappan.
New password:
BAD PASSWORD: it is WAY too short
BAD PASSWORD: is too simple
Retype new password:
passwd: all authentication tokens updated successfully.
[root@server1 ~]# useradd -c “T.V. REEGAN KUMAR” reegan
[root@server1 ~]# passwd reegan
Changing password for user reegan.
New password:
BAD PASSWORD: it is WAY too short
BAD PASSWORD: is too simple
Retype new password:
passwd: all authentication tokens updated successfully.
2. Create two group and password
[root@server1 ~]# groupadd skylark
[root@server1 ~]# groupadd cordia
[root@server1 ~]# gpasswd skylark
Changing the password for group skylark
New Password:
Re-enter new password:
[root@server1 ~]# gpasswd cordia
Changing the password for group cordia
New Password:
Re-enter new password:
3. Delete (remove) user password (without need password login user account)
[root@server1 ~]# passwd -d ayyappan
Removing password for user ayyappan.
passwd: Success
[root@server1 ~]# su – reegan
[reegan@server1 ~]$ su – ayyappan
[ayyappan@server1 ~]$ su – reegan
Password:
[reegan@server1 ~]$ logout
[ayyappan@server1 ~]$ logout
[reegan@server1 ~]$ logout
4. Remove the group password
[root@server1 ~]# grep -i “skylark” /etc/gshadow
skylark:$6$ECeZYcwRCL/Je$ugbDKhVRsxf2t3wY1swVR6aCnjKvN2nnvJsmBwl28uNqBofoOT.EyO9k3bYdeU1DrH2D3WcHBJbC6/ILjbweQ/::
[root@server1 ~]# gpasswd -r skylark
[root@server1 ~]# grep -i “skylark” /etc/gshadow
skylark:::
5. Lock and unlock user login password
First to check the status
[root@server1 Desktop]# passwd -S ayyappan
ayyappan PS 2012-10-01 0 99999 7 -1 (Password set, SHA512 crypt.)
[root@server1 Desktop]# passwd -l ayyappan or usermod –L ayyappan
Locking password for user ayyappan.
passwd: Success
[root@server1 Desktop]# su – reegan
[reegan@server1 ~]$ su – ayyappan
Password:
su: incorrect password
[root@server1 Desktop]# passwd -u ayyappan
Unlocking password for user ayyappan.
passwd: Warning: unlocked password would be empty.
passwd: Unsafe operation (use -f to force)
[root@server1 Desktop]# passwd -fu ayyappan or usermod –U ayyappan
Unlocking password for user ayyappan.
passwd: Success
[root@server1 Desktop]# su – reegan
[reegan@server1 ~]$ su – ayyappan
[ayyappan@server1 ~]$
Or
[root@server1 Desktop]# passwd ayyappan
[root@server1 Desktop]# passwd reegan
[root@server1 Desktop]# usermod -L ayyappan
[root@server1 Desktop]# su – reegan
[reegan@server1 ~]$ su – ayyappan
Password:
su: incorrect password
[reegan@server1 ~]$ logout
[root@server1 Desktop]# usermod -U ayyappan
[root@server1 Desktop]# su – reegan
[reegan@server1 ~]$ su – ayyappan
Password:
[ayyappan@server1 ~]$ logout
[reegan@server1 ~]$ logout
6. Delete the username and groupname
[root@server1 Desktop]# userdel -rf ayyappan
[root@server1 Desktop]# userdel -rf reegan
[root@server1 Desktop]# groupdel cordia
[root@server1 Desktop]# groupdel skylark
7. To change the username “ayyappan” to “babu” and group name “rooman” to “skylark”
[root@server1 ~]# usermod -l babu ayyappan
[root@server1 ~]# groupmod -n skylark rooman
[root@server1 ~]# grep -i “ayyappan” /etc/passwd
babu:x:500:500::/home/ayyappan:/bin/bash
[root@server1 ~]# grep -i “skylark” /etc/group
skylark:x:501:
8. User “ayyappan” add to primary group “skylark
User “babu” add to primary and secondary group “skylark” and “cordia”
[root@server1 Desktop]# usermod -g skylark ayyappan
[root@server1 Desktop]# usermod -G cordia babu
[root@server1 Desktop]# usermod -G cordia,skylark babu
9. To check the user id (UID) and (GID) then change.
RHEL default is 500 and maximum limit is 65534.
[root@server1 Desktop]# id ayyappan
uid=500(ayyappan) gid=502(skylark) groups=502(skylark)
[root@server1 Desktop]# id babu
uid=501(babu) gid=501(babu) groups=501(babu),502(skylark),503(cordia)
[root@server1 Desktop]# usermod -u 700 ayyappan
[root@server1 Desktop]# usermod -u 701 babu
[root@server1 Desktop]# groupmod -g 900 skylark
[root@server1 Desktop]# groupmod -g 901 cordia
[root@server1 Desktop]# id ayyappan
uid=700(ayyappan) gid=900(skylark) groups=900(skylark)
[root@server1 Desktop]# id babu
uid=701(babu) gid=501(babu) groups=501(babu),900(skylark),901(cordia)
[root@server1 Desktop]# groupmod -g 701 babu
[root@server1 Desktop]# id babu
uid=701(babu) gid=701(babu) groups=701(babu),900(skylark),901(cordia)
10. Remove user from group
[root@server1 /]# usermod -g skylark ayyappan
[root@server1 /]# usermod -G skylark,cordia babu
[root@server1 /]# id ayyappan
uid=502(ayyappan) gid=504(skylark) groups=504(skylark)
[root@server1 /]# id babu
uid=503(babu) gid=503(babu) groups=503(babu),504(skylark),505(cordia)
[root@server1 /]# gpasswd -d ayyappan skylark
Removing user ayyappan from group skylark
gpasswd: user ‘ayyappan’ is not a member of ‘skylark’
[root@server1 /]# gpasswd -d babu skylark
Removing user babu from group skylark
[root@server1 /]# gpasswd -d babu cordia
Removing user babu from group cordia
[root@server1 /]# id babu
uid=503(babu) gid=503(babu) groups=503(babu)
11. Move content of the home directory to the new location user for “ayyappan”
[root@server1 ~]# ls -l /home/
total 4
drwx——. 4 ayyappan ayyappan 4096 Jul 25 09:51 ayyappan
[root@server1 ~]# mkdir /newhome
[root@server1 ~]# usermod -m -d /newhome/ayyappan ayyappan
[root@server1 ~]# ls -l /home
total 0
[root@server1 ~]# ls -l /newhome/
total 4
drwx——. 4 ayyappan ayyappan 4096 Jul 25 09:51 ayyappan
12. To create user without home directory and change the shell no login that user
[root@server1 ~]# useradd -M ftpuser
[root@server1 ~]# ls -l /home/
total 0
[root@server1 ~]# passwd ftpuser
[root@server1 ~]# su – ftpuser
su: warning: cannot change directory to /home/ftpuser: No such file or directory
-bash-4.1$ echo $SHELL
/bin/bash
[root@server1 ~]# chsh –l (to check the shell)
/bin/sh
/bin/bash
/sbin/nologin
/bin/tcsh
/bin/csh
[root@server1 ~]# chsh -s /sbin/nologin ftpuser
Changing shell for ftpuser.
Shell changed.
[root@server1 ~]# su – ftpuser
su: warning: cannot change directory to /home/ftpuser: No such file or directory
This account is currently not available.
13. Create user without same group name as user
[root@server1 /]# useradd -N ayyappan; passwd ayyappan;id ayyappan
Changing password for user ayyappan.
New password:
BAD PASSWORD: it is WAY too short
BAD PASSWORD: is too simple
Retype new password:
passwd: all authentication tokens updated successfully.
uid=502(ayyappan) gid=100(users) groups=100(users)
14. Which command to check the /etc/passwd and /etc/shadow file have proper format and contain valid data.
[root@server1 Desktop]# pwck
user ‘adm’: directory ‘/var/adm’ does not exist
user ‘uucp’: directory ‘/var/spool/uucp’ does not exist
user ‘gopher’: directory ‘/var/gopher’ does not exist
user ‘avahi-autoipd’: directory ‘/var/lib/avahi-autoipd’ does not exist
user ‘pulse’: directory ‘/var/run/pulse’ does not exist
user ‘saslauth’: directory ‘/var/empty/saslauth’ does not exist
pwck: no changes
pwck [options]
-q – report errors only
-r – read only mode
-s – sort entries in /etc/passwd and /etc/shadow by UID
15. To show the user creating default option and how it change
[root@server1 Desktop]# useradd -D
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes
[root@server1 Desktop]# mkdir /changehome
[root@server1 Desktop]# chsh -l
/bin/sh
/bin/bash
/sbin/nologin
/bin/tcsh
/bin/csh
[root@server1 Desktop]# useradd -D -b /changehome/ [change default home directory]
[root@server1 Desktop]# useradd -D -s /bin/sh [change default shell]
[root@server1 ~]# useradd -D
GROUP=100
HOME=/changehome/
INACTIVE=-1
EXPIRE=
SHELL=/bin/sh
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes
[root@server1 ~]# useradd redhat
[root@server1 ~]# ls /changehome/
Redhat
[root@server1 ~]# su redhat
sh-4.1$ echo $SHELL
/bin/sh
sh-4.1$
16. Bulk user and group add using for loop method
[root@server1 Desktop]# for USER in reegan mani anbu
> do
> useradd $USER
> echo “password” | passwd –stdin $USER
> done
Changing password for user reegan.
passwd: all authentication tokens updated successfully.
Changing password for user mani.
passwd: all authentication tokens updated successfully.
Changing password for user anbu.
passwd: all authentication tokens updated successfully.
[root@server1 Desktop]# for GROUP in skyark cordia
> do
> groupadd $GROUP
> done
17. Manage Linux password expiration and aging using “chage” command.
List the password and its related details for a user
[root@server1 Desktop]# chage -l reegan
Last password change : Jul 26, 2012
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
The reegan password is set to expire 10 days from the last password change.
[root@server1 Desktop]# chage -M 10 reegan
[root@server1 Desktop]# chage -l reegan
Last password change : Jul 26, 2012
Password expires : Aug 05, 2012
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 10
Number of days of warning before password expires : 7
Set the account expiry date for an user
[root@server1 Desktop]# chage -E 2012-08-06 reegan
[root@server1 Desktop]# chage -l reegan
Last password change : Jul 26, 2012
Password expires : Aug 05, 2012
Password inactive : never
Account expires : Aug 06, 2012
Minimum number of days between password change : 0
Maximum number of days between password change : 10
Number of days of warning before password expires : 7
Set the account password inactive x number of days
[root@server1 Desktop]# chage -M 10 reegan
[root@server1 Desktop]# chage -l reegan
Last password change : Jul 26, 2012
Password expires : Aug 05, 2012
Password inactive : Aug 15, 2012
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 10
Number of days of warning before password expires : 7
Disable all default
[root@server1 Desktop]# chage -m 0 -M 99999 -I -1 -E -1 reegan
[root@server1 Desktop]# chage -l reegan
Last password change : Jul 26, 2012
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
18. How to add bulk user using “newusers” command.
[root@server1 Desktop]# touch adduser.txt [create one text file]
[root@server1 Desktop]# vim adduser.txt [add user details /etc/passwd file model]
babu:password:501:501::/home/babu:/bin/bash
kumar:password:502:502::/home/kumar:/bin/bash
:wq!
[root@server1 Desktop]# newusers adduser.txt [use “newusers” command]
[root@server1 Desktop]# ls /home/
babu kumar ayyappan
19. Groupmems command examples
#groupmems [options] [action]
[options]
-g groupname
[action]
-a add username
-d delete username
-l list
-p purge all members from the groups
[root@server1 Desktop]# groupmems -g ibm -a ayyappan
[root@server1 Desktop]# groupmems -g ibm -a kumar
[root@server1 Desktop]# groupmems -g ibm -l
babu ayyappan kumar
ACL
Access Control List
[root@server1 Desktop]# for USER in ayyappan babu reegan
> do
> useradd $USER
> echo “password” | passwd –stdin $USER
> done
Changing password for user ayyappan.
passwd: all authentication tokens updated successfully.
Changing password for user babu.
passwd: all authentication tokens updated successfully.
Changing password for user reegan.
passwd: all authentication tokens updated successfully.
[root@server1 Desktop]# groupadd skylark
[root@server1 Desktop]# for USER in ayyappan babu reegan
> do
> usermod -G skylark $USER
> done
[root@server1 Desktop]# id ayyappan
uid=500(ayyappan) gid=500(ayyappan) groups=500(ayyappan),503(skylark)
[root@server1 Desktop]# id babu
uid=501(babu) gid=501(babu) groups=501(babu),503(skylark)
[root@server1 Desktop]# id reegan
uid=502(reegan) gid=502(reegan) groups=502(reegan),503(skylark)
[root@server1 Desktop]# mkdir /example
[root@server1 Desktop]# chown ayyappan:skylark /example
[root@server1 Desktop]# ls -ld /example
drwxr-xr-x. 2 ayyappan skylark 4096 Aug 3 12:34 /example
[root@server1 Desktop]# su – ayyappan
[ayyappan@server1 ~]$ cd /example/
[ayyappan@server1 example]$ mkdir account
[ayyappan@server1 example]$ ll
total 4
drwxrwxr-x. 2 ayyappan ayyappan 4096 Aug 3 12:36 account
[ayyappan@server1 example]$ getfacl account
# file: account
# owner: ayyappan
# group: ayyappan
user::rwx
group::rwx
other::r-x
[ayyappan@server1 example]$ setfacl -m u:reegan:rwx account
[ayyappan@server1 example]$ setfacl -m g:skylark:r-x account
[ayyappan@server1 example]$ setfacl -m o:— account
[ayyappan@server1 example]$ getfacl account
# file: account
# owner: ayyappan
# group: ayyappan
user::rwx
user:reegan:rwx
group::rwx
group:skylark:r-x
mask::rwx
other::—
[ayyappan@server1 example]$ su – reegan
Password:
[reegan@server1 ~]$ cd /example/
[reegan@server1 example]$ cd account/
[reegan@server1 account]$ touch test
[reegan@server1 account]$ ll
total 0
-rw-rw-r–. 1 reegan reegan 0 Aug 3 12:39 test
[reegan@server1 account]$ su – babu
Password:
[babu@server1 ~]$ cd /example/account/
[babu@server1 account]$ touch babutest
touch: cannot touch `babutest’: Permission denied
[babu@server1 account]$ ll
total 0
-rw-rw-r–. 1 reegan reegan 0 Aug 3 12:39 test
[babu@server1 account]$ logout
[reegan@server1 account]$ logout
[ayyappan@server1 example]$ logout
[root@server1 Desktop]# useradd kumar; passwd kumar
Changing password for user kumar.
New password:
BAD PASSWORD: it is based on a dictionary word
Retype new password:
passwd: all authentication tokens updated successfully.
[root@server1 Desktop]# su – kumar
[kumar@server1 ~]$ cd /example/account/
-bash: cd: /example/account/: Permission denied
[kumar@server1 ~]$ logout
RHCE Linux – nologin file in etc directory and securetty file
You are the administrator of example.com domain. Configure to deny local login to all normal users on your domain server. As well as allow to root login only on First Terminal.
First login from root user and run these command
[root@server1 Desktop]# touch /etc/nologin
[root@server1 Desktop]# cat /etc/securetty
console
vc/1
vc/2
vc/3
vc/4
vc/5
vc/6
vc/7
vc/8
vc/9
vc/10
vc/11
tty1
#tty2
#tty3
#tty4
#tty5
#tty6
#tty7
#tty8
#tty9
#tty10
#tty11
:wq!
[root@server1 Desktop]# useradd ayyappan
[root@server1 Desktop]# echo “redhat” | passwd –stdin ayyappan
[root@server1 Desktop]# init 3
Alt + F2